feat(workflows): add reusable _update-flake-input workflow

.github/workflows/_update-flake-input.yml

@@ -0,0 +1,98 @@
+# Reusable: Update flake input
+# Bumps a single flake.lock input in the calling repo and opens a squash-
+# mergeable PR. If the input is already at the latest rev, exits cleanly
+# with no PR. Called by consumer repos (nix-ai, nix-darwin) via
+# repository_dispatch when an upstream dryvist repo cuts a release.
+name: _update-flake-input
+
+on:
+  workflow_call:
+    inputs:
+      input_name:
+        description: >-
+          Name of the flake input to update (e.g. "nix-claude-code", "nix-ai").
+          Must match an entry in the calling repo's flake.nix inputs block.
+        type: string
+        required: true
+      runner_label:
+        description: >-
+          GitHub Actions runner label. Defaults to the RunsOn 2-cpu linux
+          runner used by the rest of the dryvist automation stack.
+        type: string
+        required: false
+        default: "runs-on=${{ github.run_id }}/runner=2cpu-linux-x64"
+    secrets:
+      GH_APP_PRIVATE_KEY:
+        required: true
+
+concurrency:
+  group: update-flake-input-${{ inputs.input_name }}-${{ github.repository }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  update:
+    name: Bump ${{ inputs.input_name }}
+    runs-on: ${{ inputs.runner_label }}
+    environment: automation
+    timeout-minutes: 20
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Generate GitHub App Token
+        id: app-token
+        uses: actions/create-github-app-token@v3
+        with:
+          client-id: ${{ vars.GH_APP_CLIENT_ID }}
+          private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
+
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+
+      - name: Install Nix
+        uses: DeterminateSystems/determinate-nix-action@v3
+
+      - name: Update flake input
+        # Use env var — never interpolate inputs directly into run: (injection risk).
+        env:
+          INPUT_NAME: ${{ inputs.input_name }}
+        run: nix flake update "$INPUT_NAME"
+
+      - name: Check for changes
+        id: diff
+        run: |
+          if git diff --quiet flake.lock; then
+            echo "changed=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Create Pull Request
+        if: steps.diff.outputs.changed == 'true'
+        uses: peter-evans/create-pull-request@v8
+        with:
+          token: ${{ steps.app-token.outputs.token }}
+          sign-commits: true
+          branch: chore/bump-${{ inputs.input_name }}
+          delete-branch: true
+          commit-message: "chore(deps): bump ${{ inputs.input_name }} flake input"
+          title: "chore(deps): bump ${{ inputs.input_name }} flake input"
+          body: |
+            Automated flake input update triggered by a release in `${{ inputs.input_name }}`.
+          labels: dependencies
+          author: "github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>"
+
+      - name: Enable auto-merge
+        if: steps.diff.outputs.changed == 'true'
+        # Use env var for the branch name — input_name must not be shell-interpolated.
+        env:
+          GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          INPUT_NAME: ${{ inputs.input_name }}
+        run: |
+          PR=$(gh pr list --head "chore/bump-${INPUT_NAME}" --json number --jq '.[0].number')
+          [ -n "$PR" ] && gh pr merge "$PR" --auto --squash || true